From the wtmp man page:
"Also note that wtmp and btmp are not created by the programs that maintain them. Thus, if these files are removed, record-keeping is turned off."
Oops. Some root user probably saw wtmp getting large and simply removed it (ouch!) so commands like last will no longer produce anything. wtmp can be created with:
touch /var/adm/wtmp
chmod 664 /var/adm/wtmp
chown adm:adm /var/adm/wtmp
Also make sure that /var/adm/btmp exists. If not, use the touch/chmod/chown as above BUT make sure chmod is 640 (NO ONE gets to read btmp except root). lastb is the command that formats the btmp file.
As far as the culprit that made the changes, the user may not have made the changes, a root user ocould have done the deed. Check for duplicate root users:
logins -d
Multiple UID=0 is a BIG security no-no and one of the first hacks made by an intruder. You can also grep through all the /home/*/.sh_history files:
grep username /home/*/.sh_history
Also check if any of the HOME directories have missing .sh_history files, zero'ed .sh_history files, or the permission/ownership on the .sh_history file prevents the owner's shell from recording any commands. Any of those 3 conditions needs to be investigated.
Bill Hassell, sysadmin
